Proofpoint: Security, Compliance and the Cloud

Quite a bit of coverage today of this story about the frequency of terminations and disciplinary actions against UK officers of the law for violations of their organizations' social media and internet use policies. Our partners at LEWIS Communications in the UK filed Freedom of Information Act requests to uncover this information.

Their investigation found that more than 70 staff at the UK Ministry of Justice and London's Metropolitan Police Service have been fired or disciplined for violations of acceptable use policies for social media, Internet sites and email.

The Ministry of Justice fired four staffers and issued final warnings to another three for failing to adhere to strict policies on usage of social networking sites such as Facebook and Twitter. Another 40 staffers were disciplined for other Internet and email-related offenses.

Scotland Yard disciplined 28 police officers for breaching the Metropolitan Police Service's policies for use of social networking sites.18 were served written warnings, five were given "words of advice" and four were issued "formal misconduct" charges.

I'm quoted in these stories, noting that the Met and MoJ aren't alone in dealing with these sorts of issues. Regular readers will know that Proofpoint has previously published research about the discipline and termination actions that large companies have taken vis-a-vis violations of social media policies in our annual Outbound Email and Data Loss Prevention in Today's Enterprise report, finding among other things that:

• 17% of US companies investigated the exposure of confidential, sensitive or private information via a posting to a social networking site (e.g., Facebook, LinkedIn) in the past 12 months.
• 10% have disciplined an employee for violating social networking policies in the past 12 months. 8% reported terminating an employee for such a violation.
• 45% are highly concerned about the risk of information leakage via posts to social networking sites.
• 13% investigated the exposure of confidential, sensitive or private information via an SMS text or Web-based short message service (e.g., Twitter). 41% are highly concerned about the risk of information leakage via Web-based short messaging (e.g., Twitter).
• 66.8% of US companies responding to our survey reported having a formal acceptable use policy for social networking sites (compare that to 93% of companies that report having a formal acceptable use policy for email).

Scotland Yard has a nine-point guide that advises officers how to behave online. These cover a wide range of topics including personal and operational security, use of copyrighted material, upholding MPS standards and reputation and discrimination/harassment. It's a pretty interesting list, so I've included it below: 

• While it is a personal decision, for security reasons it is suggested that staff do not disclose their position as an MPS employee or officer. Whatever the decision, one should avoid disclosing personal details which may be used for identity theft, or to identify one's home address or other sensitive details. Do ensure that the privacy settings available on social networking sites are used.
• Irrespective of whether you disclose your position, you must do nothing which risks bringing the MPS into disrepute or compromising its effectiveness or the security of its operations or assets. To do otherwise might lead to disciplinary and/or legal action, with potentially serious consequences.
• If disclosing your association with the MPS, staff must consider whether it is appropriate to discuss their role within the MPS, as any information that may compromise police operations or investigations or which breaches the Official Secrets or Data Protection Acts must not be divulged.
• Staff must not divulge any official MPS information, including information obtained through your work for the MPS, nor expand upon MPS information already available in the public domain.
• If staff disclose that they work for the MPS, then it must be made absolutely clear that any views expressed do not represent the official position of the MPS but are the views of the individual.
• Staff must not use any MPS logo or other copyrighted material.
• Staff may accept payment for their own material produced away from their MPS employment, provided that this has been officially registered and sanctioned as a business interest, and providing the material does not in any way relate to policing. Failure to register and obtain a sanction for a business interest may result in formal disciplinary action being taken.
• Under no circumstances must staff bring the reputation of the MPS into disrepute by making derogatory comments regarding MPS policies/procedures/operations or any other activities.
• In accordance with the MPS Equality Policy and SOP, staff must not display offensive images or make offensive comments, or in any way harass, intimidate, bully, victimise or discriminate against others.

You can find more coverage of this story at:

ComputerWeekly: Law Officers Disciplined for Bad Behavior Online
(ComputerWeekly also has the full text of the Metropolitan Police Service's Freedom of Information Request response at http://www.computerweekly.com/blogs/read-all-about-it/2010/02/the-mets-mea-culpa.html)

WebUser: Police, MoJ Staff Disciplined for Web Use

Computerworld: Police Officers Discliplined for Facebook Use